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Topics Covered in This Talk 


• K8S Ingress Controllers 

• What are K8S Ingress Controllers 

• Types of Ingress Controllers 

• Let’s Encrypt 

• What is Let’s Encrypt 

• Why should you care about Let’s Encrypt 

• Intro into the ACME protocol 

• Combining K8S Ingress Controllers 

• cert-manager 


Q&A 


What Will Not Be Covered 


• K8S use in general 

• Certificate authorities other than Let’s Encrypt 

• Vendor specific issues 

• Why Emacs is better than VIM (even though it clearly is) 


What are K8S Ingress 

Controllers 


• K8S pods and services are 
only available within the 
cluster 

• So you’re application works 
and is secure, right? 

• Only problem is an application 
needs users and customers 







What are K8S Ingress 

Controllers 


• K8S ingress controllers bridge 
this gap 

• They allow outside 
connections to reach the 
internal cluster network 








Ingress Controller Types 


• Single Service 

• All requests go to a single k8s service 

• Fan Out 

• Different paths are mapped to different services 

• Virtual Host 

• Different subdomains are mapped to different services 

• TLS 

• Certificate stored in Kubernetes secret 


What is Let’s Encrypt 


Let’s Encrypt is a trusted Certificate Authority (CA) 

Certificates from a trusted CA used to costs a lot of 
money 

Let’s Encrypt is a free, automatic, and easy to use 


ACME Protocol 


Let’s Encrypt Certification’s Two phases 

• Establishing control of a domain 

• Requesting, revoking, and renewing certificates 


ACME Protocol 


Agent creates a public-private 
key pair 

A challenge is issued to the 
agent 

• A nonce that is to be 
encrypted with the private 
key 

• An action done to or on the 
domain 






ACME Protocol 


Let’s Encrypt now knows the 
server as the holder of the 
private key 

It checks the action requested 
was also done to the server 

Now it has established an 
identity of the server and that 
it controls the domain 







ACME Protocol 


• Established 

• Authorized key pair 

• Server controls domain 

• Authorized key pairs are able: 

• PKCS#10 Certificate Signing Request 

• Revoke certificates 


• Etc 



rotisserie.tv 


An open source https Kubernetes based application 
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PUBG 


PlayerUnkown’s BattleGrounds 

• 100 person battle royale game 

• Dropped with no ammo, weapons, armor, etc 

• Last person (or team) left alive wins 
20 Million Copies sold 

Not technically finished 
Slow paced 

• Games last 20-40 minutes 


First 15 minutes are looting 
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Livestreamer 


• Cli application for streaming various videos including 
twitch 

• Easy to use and just works 

TensorFlow Based OCR 


• An open source deep learning framework 

• Custom trained on the fonts 


FFMPEG 

A multimedia manipulation tool 
Has a CLI 
Open source 

ImageMagick 

Image manipulation suite 
Works on many different file formats 


Open source 


Deciding the best stream 
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rotisserie architecture 









rotisserie Ingress 



Ingress 

Controller 










Nginx Ingress Controller 


apiVersior: extensicns/vlbetal 

kind: Ingress 

metadata: 

name; {■( template "rotisserie. fulliame" . }}-ingress 
chart: template "rotisserie.chart" . » 

release: {{ .Release.Maine >} 
heritage: {{ .Release.Service }> 
annotations: 

kuberretes.io/tls-acme: "True" 
ingress.bluemix.net/reJirect-to-ittps: "Trje“ 
spec: 
tls: 

- secretName: {{ template "rotisserie.fullname" .}>-tls 
hosts: 

{{- ranee .Values.ingress.hostnames }} 

- {{ . » 

{{- end >> 
rules: 

{{- ranee .Values.ingress.hostnames >} 

- host: {{ . }> 
http: 

palls; 

- path: /current 
backend: 

serviceNane: {{ template "rotisserie.fullname" $ >>-app 
servicePort: 3003 

- path: / 
backend: 

serviceNarae: {{ template "rotisserie.fullname" $ >}-static 
servicePort: 8082 



cert-manager 


• sets up service that automates certificate actions 


Demo 


Finally 




Rotisserie 
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• Working application 

• Https enabled 

• Automatically keeps 
up-to-date 

https://rotisserie.tv 





Resources 


Ingress Controllers — https://kubernetes.io/docs/ 
concepts/services-networkinq/inaress/ 

Let’s Encrypt — https://letsencrvpt.org/ 

cert-manager - https://github.com/jetstack/cert-manager/ 

kube-lego to cert-manager migration guide — https:// 

github.com/jetstack/cert-manaaer/blob/master/docs/user- 

guides/migrating-from-kube-lego.md 


rotisserie — rotisserie.tv and github.com/ibm/rotisserie 















Questions? 


